Los Angeles school board data breach sees data on thousands of students stolen

School Bus
(Image credit: Marcelo Cidrack / Unsplash)

In early June 2024, a threat actor with the alias Sp1d3r put a database for sale on the dark web, claiming it belonged to the Los Angeles Unified School District (LAUSD) and was stolen from its Snowflake account. 

The hacker was asking $150,000 for the archive that contained student names, addresses, family names, demographics, financials, grades, performance scoring, disability information, discipline details, and parent information.

Now, a month later, the organization has confirmed the authenticity of the threat actor’s claims, potentially putting millions of students at risk.

Credential stuffing

"Through its extensive and ongoing investigation, the District has determined that the data in question was maintained by one or more Los Angeles Unified external vendors on Snowflake, a cloud-based platform used for mass data storage, and appears to have been stolen in a manner consistent with recently publicized thefts involving numerous Snowflake accounts," the LAUSD said in a statement to BleepingComputer.

"So far, the District's ongoing investigation has revealed no evidence of any compromise to our systems or networks; however the investigation into the scope and extent of the data impacted is ongoing."

Sp1d3r has recently put up numerous databases for sale, all apparently stolen from Snowflake: Ticketmaster, Santander Bank, Advance Auto Parts, Pure Storage, and others. Snowflake’s initial report, conducted together with Mandiant and Crowdstrike, claims that its infrastructure is intact, and that the attacker managed to break into these accounts with brute force and credential stuffing - trying out username/password combinations stolen elsewhere, against accounts that did not have multi-factor authentication (MFA) set up.

LAUSD said it notified relevant authorities and law enforcement, and that it is actively cooperating with the FBI, CISA, and its vendors, as the incident is thoroughly investigated.

Sp1d3r says it has 11GB of sensitive data, which includes 26 million records with student information, more than 24,000 teacher records, and around 500 staff information. The going price for the archive was $1,000.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.